diff options
Diffstat (limited to 'src/fseccomp/seccomp.c')
-rw-r--r-- | src/fseccomp/seccomp.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 2a719725e..95c20d388 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -80,6 +80,10 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_ | |||
80 | 80 | ||
81 | // build pre-exec filter: don't blacklist any syscalls in @default-keep | 81 | // build pre-exec filter: don't blacklist any syscalls in @default-keep |
82 | filter_init(fd); | 82 | filter_init(fd); |
83 | |||
84 | // allow exceptions in form of !syscall | ||
85 | syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); | ||
86 | |||
83 | char *prelist, *postlist; | 87 | char *prelist, *postlist; |
84 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | 88 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); |
85 | if (prelist) | 89 | if (prelist) |
@@ -128,6 +132,10 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in | |||
128 | // build pre-exec filter: blacklist @default, don't blacklist | 132 | // build pre-exec filter: blacklist @default, don't blacklist |
129 | // any listed syscalls in @default-keep | 133 | // any listed syscalls in @default-keep |
130 | filter_init(fd); | 134 | filter_init(fd); |
135 | |||
136 | // allow exceptions in form of !syscall | ||
137 | syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL); | ||
138 | |||
131 | add_default_list(fd, allow_debuggers); | 139 | add_default_list(fd, allow_debuggers); |
132 | char *prelist, *postlist; | 140 | char *prelist, *postlist; |
133 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); | 141 | syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist); |
@@ -175,6 +183,10 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
175 | 183 | ||
176 | // build pre-exec filter: whitelist also @default-keep | 184 | // build pre-exec filter: whitelist also @default-keep |
177 | filter_init(fd); | 185 | filter_init(fd); |
186 | |||
187 | // allow exceptions in form of !syscall | ||
188 | syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL); | ||
189 | |||
178 | // these syscalls are used by firejail after the seccomp filter is initialized | 190 | // these syscalls are used by firejail after the seccomp filter is initialized |
179 | int r; | 191 | int r; |
180 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); | 192 | r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL); |